我一般用 tcpdump 有两种用法，一个是存盘，拿 wireshark 看，那么的话，就这么写
tcpdump -s 0 -i any -p udp and src 10.170.7.40 -w `date +%s`.pcap
I always forget the parameters for this and have to look them up in the man page, so enough of that:
tcpdump -nnXSs 0 ‘port 80’
“-nn” makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output.
“-X” makes it print each packet in hex and ascii; that’s really the useful bit for tracking headers and such
“-S” print absolute rather than relative TCP sequence numbers – If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once
“-s 0” by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets. We are debugging, right?
Instead of “port 80” you can make more complicated rules like “port 80 and host 10.50.33.10”.